Content 

01. News Bites
  • London Doctors continue to struggle as cyber attack halts pathology services.
  • International Multimedia conglomerate Kadokawa Group Hit by Major Cyberattack.
  • Lockbit 3.0 claims major cyber attack on US Federal Reserve, exfiltrates 33 TB of Data.
  • Critical flaw in MOVEit transfer exploited within a day of disclosure, urgent patches released.
  • Snowblind Malware exploits Android security feature to bypass anti-tampering protections.
02. Conclusion

Quick News Bites

London Doctors continue to struggle as cyber attack halts pathology services 

Doctors' surgeries in London are still grappling with the aftermath of a cyber attack that disrupted pathology services. Synnovis, managing labs for NHS trusts and GPs in south-east London, was hacked on 3 June, leading to thousands of cancelled operations and appointments. Blood testing is severely limited, impacting routine patient care. 

NHS England stated recovery would take weeks despite significant investment in cyber security. Over 1,000 operations and 3,000 appointments have been postponed. Affected NHS trusts are managing the situation as a "critical incident," with senior officials praising staff efforts amidst ongoing challenges. 

European investigators revealed that the Russian hackers behind the attack are part of a broader cyber army of more than 100 groups. Although not under the direct control of the Russian government, this cyber army serves as a tool of global disruption, with the Kremlin turning a blind eye to their activities. 

International Multimedia conglomerate Kadokawa Group Hit by Major Cyberattack 

Kadokawa Group, a multinational media conglomerate owning videogame developer FromSoftware and Anime News Network, acknowledged a "significant cyberattack" on Thursday, stating it is working on "solutions and workarounds" for its systems. 

In a detailed update, Kadokawa Group revealed that Niconico, a popular Japanese video-sharing site, was among the hardest hit, with all services suspended since June 8. The impact on Elden Ring developer FromSoftware remains unclear. The ransomware group responsible claimed to have downloaded confidential information, including employee personal data. Kadokawa Group is investigating the extent of the data breach with external organizations. 

The games industry has been increasingly vulnerable to cyberattacks. Studios like Rockstar Games and Insomniac have faced significant ransomware attacks, leading to the leak of substantial confidential data. A recent Wired report highlighted the growing severity of ransomware attacks in 2024, describing them as "more brutal than ever." 

Lockbit 3.0 claims major cyber attack on US Federal Reserve, exfiltrates 33 TB of Data 

Notorious Russia-based ransomware gang Lockbit 3.0 has claimed responsibility for a cyber attack on the US Federal Reserve. Announced on June 23, the gang alleged they infiltrated the Federal Reserve's systems, exfiltrating 33 TB of sensitive banking information. 

In their post titled "federalreserve.gov," Lockbit 3.0 described the Federal Reserve's structure and role in distributing money across the 12 US banking districts. They issued a 48-hour ultimatum for the Federal Reserve to replace their negotiator, whom they disparaged as a "clinical idiot" for valuing America's banking secrecy at $50,000. Lockbit 3.0 is notorious for its aggressive negotiation tactics and targeting high-profile organizations. Recent victims include Canadian pharmacy chain London Drugs, the City of Wichita, and the Hôpital de Cannes - Simone Veil. 

This attack follows the US Justice System's unmasking of Russian national Dmitry Khoroshev as the developer, creator, and administrator of the ransomware gang. 

Critical flaw in MOVEit transfer exploited within a day of disclosure, urgent patches released 

Threat actors are exploiting a critical authentication bypass flaw in Progress MOVEit Transfer, just one day after its disclosure. MOVEit Transfer, used for secure file transfers in enterprise environments, has a new vulnerability identified as CVE-2024-5806. This flaw allows attackers to bypass authentication in the SFTP module, potentially accessing and manipulating sensitive data on the server. 

The Shadowserver Foundation reported exploitation attempts shortly after Progress's bulletin on CVE-2024-5806. Around 2,700 MOVEit Transfer instances are exposed online, mainly in the US, UK, Germany, Canada, and the Netherlands. The vulnerability allows attackers to manipulate SSH public key paths, potentially exposing Net-NTLMv2 hashes. 

Exploit code and technical details are publicly available. Organisations are urged to apply the security updates and mitigations immediately. Patches for impacted versions (2023.0.11, 2023.1.6, and 2024.0.2) are available on the Progress Community portal. 

Snowblind Malware exploits Android security feature to bypass anti-tampering protections 

A novel Android attack vector from malware known as Snowblind is exploiting a security feature to bypass anti-tampering protections in apps handling sensitive user data. Snowblind repackages target apps, preventing them from detecting abuse of accessibility services, which it uses to capture user inputs like credentials or gain remote control for malicious actions. 

Unlike other Android malware, Snowblind leverages 'seccomp' (secure computing), a Linux kernel feature for application integrity checks, designed to block malicious system calls. Mobile app security company Promon analysed Snowblind's operations after receiving a sample from i-Sprint, a partner specialising in access and identity system protections. 

Seccomp restricts system calls to reduce attack surfaces, but Snowblind's technique appears to be under-recognised, leaving many apps vulnerable. Promon researchers say that Snowblind can disable security features such as two-factor authentication or biometric verification, enabling attackers to read sensitive screen information, control apps, and exfiltrate personally identifiable information and transaction data. 

New Wi-Fi driver vulnerability in Windows allows nearby attackers remote code execution

A new vulnerability in the Wi-Fi driver of Windows allows for threat actors within the physical vicinity of a device to gain remote code execution.

The vulnerability (CVE-2024-30078) does not require the attacker to have immediate access to the device, but must be within the general area. This vulnerability was rated 8.8 out of 10 in terms of severity and affects almost all modern Windows OS versions.

The only mitigation against this vulnerability is by either patching your device, or coating your office in faraday material because it is "trivial" to exploit.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.